All releases of 360-FAAR Firewall Analysis Audit and Repair

Release Notes: This is the first release of 360-FAAR Enhanced.
This version of 360-FAAR supports all original functionality and enhances this by adding
"complex" processing modes
which retain the firewall rulebases structure and are also capable
of handling complex enterprise firewall policies with very high fidelity.
Drop,
Reject, and Encrypt rule structures are maintained as well as Accept rules.
This is a separate code branch from 360-FAAR 0.4.x.

Release Notes: This release fixes netscreen group name translation bugs. Empty groups are not matched in build_rules subs. Comments are output in 'set name' statements in policy id mode for netscreen rulebases. Netscreen rule 'name' strings are added with rule descriptions, and net ranges are translated as ranges. Some default services have been updated with a few new services definitions. 'rr' mode 'nat' defaults have been added, the same as 'yes' defaults with CIDR filter NAT translations switched on.

Release Notes: This release adds the "resolve services from 'Any' objects" and the "resolve 'Any' network objects to known nets" option to the 'rr' mode. These new 'rr' mode options require that a log file is loaded and that the output policy is filtered using it. When connectivity is found in the logs which matches a policy instance with the 'Any' service specified, the proto and port or known supernet from the logs are used in the output policy. Resolved objects are reported during the rule build stages and should be added manually.

Release Notes: This release adds the 'hc' option to build rules in 'rr' mode and arrange the most hit new rules at the top.
Beware: hit count rules are not 100% reliable at present. Hit counts can be multiplied for multi IP objects. 'cl' mode rules now use the original global rule number instead of incrementing it by 1. The defaults have been changed slightly, and a 'log' defaults option added. This release fixes a bug in 'load' mode trying to load files from '.', and Checkpoint rules that are not logged with a rule number are handled now.

Release Notes: This release adds the 'cl' option to clean/filter original rules, in 'rr' mode, and allows output of service priority rules as well as the original dst src priority rule build. The 'rr' mode menu has been simplified further. Starting the script without any options now starts load mode to add at least one config. This release fixes a bug in the 'any' object matching, any should now be matched from logs. The rashfilter hash tree format has been changed to match the order of the other rule processing hashes: mergebase, filterbase, and rulegroups; this should reduce memory use slightly.

Release Notes: This release adds the 'mergelog' mode to merge binary log entries from one config with another and significantly updates the user interface. All configs can be loaded from the 'load' menu instead of specifying them on the command line. This release adds 'verbose' switches to 'print' and 'rr' modes so that screen output can be switched off, and all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed. Entering '0' now adds all options, and '.' chooses the default if available. The netscreen output stage now uses a default zone if none are specified.

Release Notes: This release changes the commandline options and permits you to process as many configurations
as you choose.
All code has been refactored into subroutines.
Three new modes have been added.
"load" mode allows you to load new configuration bundles into an already running instance of 360-FAAR,
"copylog" mode associates a log file from one configuration with another loaded or new configuration,
and "help" mode prints information about all of the other modes.
Undefined warnings have been resolved when using CTRL-C to exit the user loop.

Release Notes: This release permits you to to choose the types of rules and which rule actions to include in the rule rationalization mode. Both the 'merge from' and 'filter' rulebases rule types can be chosen.
The 'rr' mode rule unwrap code has been optimized.

Release Notes:
This release adds Cisco ASA 8.3+ object NAT to the cisco reader for static and dynamic NAT.
Network objects,
ranges,
and IPs are translated.
Running the script with "--help" or "-h" or "h" prints the simple help screen.
Two new options have been added to the "rr" mode filters,
to allow encryption rules from the
"merge from" and "merge to" rulebases to be used to mask later rules in the merge from
rulebase.
Connectivity matches output during "rr" mode filtering are now listed using the source
configuration bundle object names instead of the binary CIDR IP's.
This release
resolves the menu infiniteloop issue.